Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

weird b.cgi
From: HalbaSus <halbasus () go ro>
Date: Sun, 8 Sep 2002 15:33:59 +0000
I recently noticed in httpd-access.log these entries

200.140.XXX.XXX - - [03/Sep/2002:16:42:28 +0000] "GET 
/b.cgi?money&333596165&7503274E2F69 HTTP/1.1" 404 277 "-" "Mozilla"
62.98.XXX.XXX - - [03/Sep/2002:17:19:47 +0000] "GET 
/b.cgi?money&332156089&538030224B00 HTTP/1.1" 404 277 "-" "Mozilla"

I searched info about b.cgi on google and it sais it's a worm that tries to 
connect to a few listed sites, get some encrypted commands and execute them 
on the virused host. 

But why would he connect to my site ? (I even noticed such entries on my home 
dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but 
what vulnerability could someone find in b.cgi ?

Does anybody know something about this ? 
BTW. I traced the IP to brazil... home of the script kidie groups... could it 
be some of their ./haxor-script -scan_the_internet stuff ?


-- 
-------------------
Proud member of PentaGuard
"Making the net a safer place since 1998"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]